Hi Peter,
This is looking good. However, I'm not quite comfortable with list items
2.1 and 2.2 in the Security Considerations section yet:
1. The JEP doesn't seem to specify anywhere what the server should
return in the following case:
- the request did not specify a node
- there are other items as well as available resources
- the requesting entity is not authorized to receive presence
I guess this should be the other items only?
2. That example illustrates a second, more general, issue. If the normal
response to an 'unauthorized' user would contain items (no matter if the
request specified a node or not), then the following rule enables
directory harvesting: "the server MUST return an empty result set if the
target entity does not exist (no matter if the request specified a node
or not)".
> > 3. For my information only, why was this 'informative' phrase
inserted?
> > "although the primary use of nodes is as Items Nodes rather than as
info nodes"
Thanks,
- Ian